Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

IP Helper address overrides firewall ?

 
SOLVED
Go to solution
Frequent Advisor

IP Helper address overrides firewall ?

Hello,

i came across a strange problem (again ;) ). I've put my dhcp server into my VLAN with ip helper address.

On the firewall all requests to this server are blocked (except dhcp on port 67). I can get an ip address and everything works fine.

BUT i can also access shares on this server ?!? On all the other servers i can't (and thats the way i like it ;) ). It's the guest_VLAN and the client should only access the internet.

Can anyone tell me if i'm right and if yes .. what can i do about it ?

Greets
Stephan
15 REPLIES 15
Valued Contributor

Re: IP Helper address overrides firewall ?

It's true that IP helper enables all broadcasts.
What about denying SMB on the firewall? Seems like not everything is blocked.
Interesting case though.

As a workaround you could consider denying SMB access on the windows firewall from the guest VLAN/subnet.
Frequent Advisor

Re: IP Helper address overrides firewall ?

That would be a workaround. But at the moment i'm not sure if i can cover all the services. The server is also a DC and DNS server. So i have many ports to configure. I think i will do that when nobody tries to use this server.

But can someone prove this ? I mean port 445 is blocked and i can see that in my live log. So i don't understand why the access is possible.

Greets
Stephan
Valued Contributor

Re: IP Helper address overrides firewall ?

Because of the netbios forwardind i'd say. IP helper forwards all broadcast as far as i'm aware.
You can consider disabling netbios on the adapter of the server because it's legacy anyway. All servers should be DNS enabled.
Honored Contributor

Re: IP Helper address overrides firewall ?

"IP helper forwards all broadcast"
is not completely true....
IP-Helper makes the recieving router on the vlan transform the DHCP-requests from broadcasts to unicasts to the DHCP-server. With source addres comming from the router and not the subnet where the dhcp-request came from!

How is this router connected, and how is the firewall connected?
If the router (routing switch) has an interface in the client vlan and the DHCP-server vlan, this traffic will not pass the firewall but goes directly to the dhcp server
Also check your firewall filters, the requests comes from the routers ip-address.

please specify you network config (diagram) in more detail.
Valued Contributor

Re: IP Helper address overrides firewall ?

OK that's clarified :)
Although I'm sure disabling netbios fixes this, I'm curious what the root cause is
Frequent Advisor

Re: IP Helper address overrides firewall ?

Hello,

i*ve made some visio drawing.

The Firewall has a port tagged with vlan 99 and no vlan 1.

The DHCP Server has a connection to an untagged VLAN1 port. With an 172.20.20.12 Ip address.

The unauthorized clients gets an 192.168.99.10-150 ip address from this server.

Authorized get 172.20.20.50-254.

I hope this helps in further analysis.

The switches doesn't have "ip routing" enabled. This should be the task of the firewall.

Honored Contributor

Re: IP Helper address overrides firewall ?

>>> The Firewall has a port tagged with vlan 99 and no vlan 1.
<<<
I think you mean
The Firewall has only one port connected to the switch.
- tagged with vlan 99;
- untagged in vlan 1.
is this correct?
On the firewall you must have created a "subinterface" for vlan99 to process packets for this vlan.

The switches don't have ip routing enabled
=> so an ip-helper adress configured here has no function!
An ip-helper must be configured at the router!

Here the firewall must connect both networks at least for dhcp, so this must act as the router!
Here you must configure the dhcp-forwarding.
HowTo depends on the model.

The unauth client-port must be untagged in vlan99.
The authorized client-port must be untagged in vlan1.

The dhcp-server must have two dhcp-scopes, one for each subnet.
Frequent Advisor

Re: IP Helper address overrides firewall ?

The clients get their ip address right now without problems.

For the client port: I make the decision auth/unauth with an RADIUS Server. So the port is dynamically "configured"

I don't understand what you mean with:
The switches don't have ip routing enabled
=> so an ip-helper adress configured here has no function!
An ip-helper must be configured at the router!

Because it's working and when i disable the DHCP Rule on my firewall i also can see the blocked requests.

And you are right. My firewall is my router. It has an extra interface directly connected to the switch. And i thought without "ip routing" on the switch enabled every packet will pass the firewall.
Frequent Advisor

Re: IP Helper address overrides firewall ?

I mean extra VLAN connection and another one for the DEFAULT_VLAN